Simple Malware Discovery Measures

If we really want to take virus protection seriously, we will get involved with reporting suspicious files to anti-virus vendors.

Malware developers thrive because very few people investigate virus alerts. A typical web-based virus attack scenario consists of multiple components. A person may willingly install software (a Trojan horse) and that software may download additional malicious components. A person may inadvertently install software, be the victim of a drive-by download, when visiting a web site. This software also downloads additional malicious components. Frequently one or more of these components is already detected as malicious. The malicious developer needs at least one of these measures to be successful. The malicious person can be detected if at least one of these measures is detected. At least one measure is often detected.

Unfortunately, it is generally thought that if anti-virus software has detected a threat, then it is sufficiently addressed. Thus enables the malicious person to try as many threats as they wish.

• Undetected threats work.
• Detected threats are ignored.

If enough people follow up on enough of these detected threats, then submit samples to anti-virus vendors and report malicious sites found, we can make malware development less profitable and less attractive.

There’s a mystique to finding malicious files, a belief that you need special skills. That’s not true. There’s a belief that it is the job of the anti-virus vendor to both find the malicious files and to develop protection. How is the vendor supposed to find the files?

Abandon those misconceptions. You can be informed about various attacks before you read about them, if you just look.

A simple measure would be “web browser forensics.” What was downloaded at the same time as the detected file? These files would be suspect.

Upload the suspicious file to VirusTotal. You may find that other anti-virus vendors already consider the file to be suspicious. Give your vendor the file.

MalwareSigs Helping Network Analysts Detect Malware

Redline is Mandiant’s free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile.

Malware wants persistence, so review Windows registry locations that malware may use to ensure it gets run. That would include the usual Autoruns locations, such as:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCR\exefile\shell\open\command
HKLM\SOFTWARE\Classes\exefile\shell\open\command
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs=
HKLM\SYSTEM\CurrentControlSet\Services

There are also less frequently investigated registry entries, such as:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger=
can be a malicious payload.

Parse user hives, not only the current user.

Identify suspicious keys in Registry Hives, such as long entries and anything that would point to signs of malware presence/persistence.

Eric Zimmerman’s Registry Explorer can make malware review simple. Set the filter for keys over a certain size. There are a few normal windows keys that are large, but your results will be very small if you set the filter to 1024.

get-childitem registry::hkcu\Software\Microsoft\Windows\CurrentVersion
-recurse | get-item | select property

Pipe that to a text file and you’ll get a recursive list of every value in
the currentversion area. Delete everything back to HKCU (or replace it with
HKLM) to get a full dump. One caveat is that it will pair everything in the
output file to the same brackets if you redirect (>) it, but the large, typically base64 code that malware stores will stick out. You can also do this with offline hives.

From the registry dump, a Python script can read the lines of a text file. Something like

list = []
a = open("pathtofile.txt").read().split("\n")
for item in a:
list.append(item)

and then just do a for item in list, length of item check. But the main
part can be done by PowerShell (and could probably done at scale in an
enterprise, now that I think about it).

Assemblyline is a malware detection and analysis tool developed by Canada’s Communications Security Establishment (CSE) and released to the cybersecurity community in October 2017. Assemblyline is designed to assist cyber defense teams to automate the analysis of files and to better use the time of security analysts. The tool recognizes when a large volume of files is received within the system, and can automatically rebalance its workload. Users can add their own analytics, such as antivirus products or custom-built software, in to Assemblyline. The tool is designed to be customized by the user and provides a robust interface for security analysts.

A Complementary Measure: OTL by OldTimer
OTL by OldTimer presents system information, processes, modules, services, drivers, Internet Explorer extensions, Firefox extensions, browser helper objects (BHO), run keys and recently modified files. Your task is to find the anomalous entries and files and forward them to your vendor for review.

An even simpler measure: What’s new in System32? Sort by Date Modified, and see what’s at the top (or bottom) of the list. This is will miss a lot of malware, but will discover suspicious files with very little training. The scenario is: your antivirus found something, but did it find everything? By looking for a dll (or exe) file with a recent (perhaps today’s) date, you have located a suspicious file. Similarly, find what’s new in the Hidden Files areas (user’s temporary files, C:\Windows\Downloaded Program Files).

Another Simple Measure: Madiant Red Curtain.
MRC examines executable files (not only .exe and .dll files, but many more) looking at entropy (randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.”  Sort the result by “Score” and review the files with a high score. Use the built-in Help feature for an explanation of what MRC found.

Another Simple Measure: Windows File Analyzer
The Windows PreFetch Folder contains information about programs that have been running. If malicious software has been installed, it is probably listed in the Windows\PreFetch folder. This narrows the number of suspected programs considerably.

Damballa Failsafe is a purpose-built, specialized threat protection solution, which hunts for these hidden threats utilizing an array of patent-pending technologies.

PowerShell ♥ the Blue Team describes PowerShell features for detecting malware.